Welcome to NBlog, the NoticeBored blog

I may meander but I'm 'exploring', not lost

Apr 9, 2012

SMotW #1: Unowned information asset days

Security Metric of the Week #1: Unowned information asset days

We will be introducing, discussing and scoring a "Security Metric of the Week" (SMotW) through this blog for the forseeable future. We know of literally hundreds, if not thousands of candidate metrics, including those that are proposed in various standards, books and published lists of metrics, along with a few of our own creation. On top of that, we frequently come across novel metrics during our consulting work or simply in the stream of information that flows past every well-connected professional every day. If you would like us to consider, score and discuss your favorite security metric, by all means email us, raise a comment on this blog, or join the Security Metametrics discussion forum.

Unowned information asset days is a candidate metric concerning asset ownership, an important governance concept that underpins accountability for the adequate protection of information assets.

It is a measure of the number of days that information assets remain without nominal owners for various reasons such as:

It is a new asset for which an owner has not yet been designated by management;

The designated owner has left the organization, or has been given a new set of responsibilities and is no longer accountable for the asset's protection;

The information asset ownership practices are not in place or are not working well.

Unowned or orphaned assets are unlikely to get much attention and care, in other words if nobody feels responsible for their protection, perhaps nobody will bother to risk-assess, secure and generally look after them. Just look at what happens to 'pool cars' and typical office printers to see what we mean.

P

R

A

G

M

A

T

I

C

Score

40

51

84

77

74

86

92

94

82

76%

Using the PRAGMATIC method, this metric scores a respectable 76%. It is held back a little by the Predictive and Relevant criteria since ownership and accountability are not sufficient, in themselves, to ensure that information assets are adequately secured. Driving up asset ownership and accountability should lead to better security in time, but only as part of a coherent and comprehensive approach to information management, governance and security.